Splunk Search

How to dynamically change index value based on different time span selected?


Hi there, need a bit of help here. 


Our organisation recently changed the `index` thus we need to update all queries to search against the new index after an exact date. 

Our current solution is to create a duplicated dashboard, and use the new index in all queries. 

I was wondering if there are better ways to dynamically update the value of `index` based on different time span. 



Is there a way to dynamically update index value based on a time span selected? Like we'd like to use value of 'some_index_1' before 20th July 2023; and use value of 'some_index_2' after 20th July 2023. 

Current query template:

index=some_index_1 cf_org_name=my_org_name cf_app_name=some_appName_1 message_type=OUT | search "Submit succesfull" | stats count


Thanks in advance.

Labels (1)
Tags (1)
0 Karma

Path Finder

If all the data you're interested in was going to some_index_1 before 20th July, and after that date the data was going to some_index_2, would it work if the queries search both indexes? For example:

(index=some_index_1 OR index=some_index_2) <other stuff>


Then the searches could span across the 20th July boundary and retrieve results from both old and new indexes.


Hi @cklunck , thanks for your prompt reply. 

Yeah, the solution you suggested worked. 

Was wondering can we make the result (aka `stats count`) more granular, like one row shows counts before 20th July 2023 & another row shows counts after. 

Should have mentioned this earlier, the `index` is not the only field changed, we also changed `cf_app_name` thus was wondering if those fields can be populated dynamically so it's easier to see results in a more granular level. Thanks. 


Tags (1)
0 Karma


You need to specify how cp_app_name is changed.  Assuming their values are already known, you can do the same, like


index IN (some_index_1, some_index_2) cp_app_name IN (app1, app2)


As to stats with before and after rows, you can do  something like

| eval cutover = if(_time < strptime("2023-07-20", "%F"), "before", "after")
| stats stats_fun(some_field) by cutover


Thanks @yuanliu , your suggestion worked for us. Thanks again.

0 Karma


Hi @Wendy ,

even if the hinted solution worked, I'd like to make a question: why do you change your index?

usually index is choosed for two/three reasons: in an index must be stored events with:

  • the same retention,
  • the same user accesses;

in addition (useful but not mandatory) events with similar volumes.

In other words there's no utility having many indexes with the same grants or the same retention policy, changing with the time (e.g. one index every year or every month for the same data).

It isn't so manageable to have many indexes.

At least, you could use eventtypes instead index (https://docs.splunk.com/Documentation/Splunk/9.1.0/Knowledge/Abouteventtypes) so you can update your dashboards searches only updating the index list in one site.

In other words, you could create an eventtype (called e.g. indexes) containing yur main search:

index IN (some_index_1,some_index_2,,some_index_3)

and use it in your dashboards:

eventtype=indexes cf_org_name=my_org_name cf_app_name=some_appName_1 message_type=OUT "Submit succesfull" 
| stats count

A final hint: don't use the search command after the main search because your search will be slower than putting the additional search parameters in the main search.



Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...